Re: enabling cephx by default

[Wido den Hollander <wido@widodh.nl>]

On 09/12/2012 02:25 AM, Sage Weil wrote:
> The next stable release will have cephx authentication enabled by default.
> We will probably do it in the next development release (v0.53) to work out
> any upgrade kinks well before that.  The process for setting up teh
> authentication keys on an existing cluster is at
>
> 	http://ceph.com/docs/master/cluster-ops/authentication/
>
> This needs a few eyeballs to make sure the upgrade process makes sense...
>

"Generate a secret key for every OSD, where {$id} is the OSD number:"

Where does {$id} come from? I know it's just a variable which the users 
needs to fill in, but it could be somewhat confusing.

You could do:

for id in {0..10}; do
ceph auth get-or-create osd.${id} mon 'allow rwx' osd 'allow *' -o 
/var/lib/ceph/osd/ceph-${id}/keyring;
done

I know this doesn't work for the mds which uses alpha-numeric names, but 
imho the {$id} variable seems to come from nowhere.

Maybe an example to make it more clear, because later in the page $id is 
used without the brackets ( { & } )


Later on, this command won't work:
$ sudo ceph auth get-or-create client.admin mds 'allow' osd 'allow *' 
mon 'allow *' > /etc/ceph/keyring

The "ceph" command gets executed as root, but the output won't, so 
writing to /etc/ceph/keyring will fail.

We could assume everybody executes these commands as root, but it might 
be somewhat confusing if one command has "sudo" prefixed and other 
don't. That might suggest it's somewhat special.

The same goes for a couple of commands after the one mentioned above.

I haven't tested the upgrade itself, but this is what I noticed while 
reading the docs.

Wido


> Thanks!
> sage
> --
> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>